I was poking at a fintech’s mobile API and noticed something that made no sense. GET /v1/accounts returned 401. GET /v1/accounts/ returned 200 with full account data. One character. Completely different security posture.What I was looking atThe API ran on AWS HTTP API — the newer, cheaper alternative to REST API. Lambda authorizer checked a JWT against Cognito, returned an IAM policy. Standard.Routes in OpenAPI:YAML/v1/accounts: get: x-amazon-apigateway-integration: uri: arn:aws:apigateway:... /...